2.4.8-rc1 #

Overview ##

Security (Moderate Severity): Ensure javascript content type is sent in form responses. If content type is html, and the javascript contains script tags within the content, this content will be executed.

Security (Low Severity): Fixed remote code execution vuln in install.php due to inserting unescaped user data into mysite/_config.php. Not critical because install.php is required to be removed on a SilverStripe installation anyway

Details

API Changes

2012-02-01 bf4476a silverstripe_version file now contains the plain version number, rather than an SVN path (Ingo Schommer)

2012-02-01 4abe136 silverstripe_version file now contains the plain version number, rather than an SVN path (Ingo Schommer)

Bugfixes

2012-07-09 838ac97 fixing an edge-case bug where a 404-page would get statically published and overwrite the homepage of the site (this would sometimes happen when a RedirectorPage was set to an external URL and still referenced an internal page ID) (Julian Seidenberg)

2012-05-04 392543b Don't' set 'Referer' header in FunctionalTest->get()/post() if its explicitly passed to the method (Ingo Schommer)

2012-05-03 9bf3ae9 SECURITY: Ensure javascript content type is sent in form responses. If content type is html, and the javascript contains script tags within the content, this content will be executed. (Andrew O'Neil)